Startup

From Exploitee.rs
Revision as of 16:40, 2 August 2011 by CJ (talk | contribs)
Jump to navigationJump to search

CE4100 Startup

Logitech Revue (this page doesn't look nice, sorry- need to get my ideas out)


CEFDK Bootloader is loaded from NAND from "cefdk". This contains an encrypted bootloader ,that has a 256bit rsa signature attached. First bit is a public key, second bit is the actual signature.

This signature is checked somewhere in the SOC / "Burnt on" / Master intel key

Once this loads, it boots kernel from flash (or usb). Kernel header has two 256 byte chunks of data, followed by typical ANDROID! magic.

First bit is as follows:

Public key, for test/eng kernel is listed below (located in kernel/recovery images at 0x94 ish)

<source lang="javascript"> 50cf 2661 2cac 7569 4f59 125b aa4d 07ad e1dc 7420 1b2c ef9a 165e 2b40 9ad6 a87d ef27 1dc3 00e4 6b1b 840f 3f24 b2c4 83fb 8a25 6258 6767 1754 81f7 7953 b208 6d47 af68 dd2d 27cc ddb4 a253 3763 4253 1213 b1f7 d615 4fb1 105a 0a17 56ee 95c4 321a 8397 9e45 4f95 ab2a a7c9 5f68 e02c 0d99 ff0b b36d 77dc f4c6 f6d1 2d96 8daa 7eea 4dee c4bb 0b88 c480 dcd8 3454 7e3e d659 98d4 5ced 378a d421 cec7 eb44 a32a e65f 858d f232 dc90 5da6 86f2 f16f 60b1 efd3 0e4a c8e7 579a f337 fbf7 e4ef 646e f02d 1621 f271 9de3 0757 9f69 0e41 f138 d660 f081 e4b0 995a 0661 cef2 0be7 610e 31e6 c2d7 1fec 8d64 926c 2a2a fbbb 777b e430 f6b2 5cda 5674 07cd 4c58 a3ff c625 6953 </source>


This is confirmed by looking into the leaked ENG bootloader (cefdk-logitech_ka3.bin), which the same data can be found (0x3a1c0 ish): <source lang="javascript"> 50cf 2661 2cac 7569 4f59 125b aa4d 07ad e1dc 7420 1b2c ef9a 165e 2b40 9ad6 a87d ef27 1dc3 00e4 6b1b 840f 3f24 b2c4 83fb 8a25 6258 6767 1754 81f7 7953 b208 6d47 af68 dd2d 27cc ddb4 a253 3763 4253 1213 b1f7 d615 4fb1 105a 0a17 56ee 95c4 321a 8397 9e45 4f95 ab2a a7c9 5f68 e02c 0d99 ff0b b36d 77dc f4c6 f6d1 2d96 8daa 7eea 4dee c4bb 0b88 c480 dcd8 3454 7e3e d659 98d4 5ced 378a d421 cec7 eb44 a32a e65f 858d f232 dc90 5da6 86f2 f16f 60b1 efd3 0e4a c8e7 579a f337 fbf7 e4ef 646e f02d 1621 f271 9de3 0757 9f69 0e41 f138 d660 f081 e4b0 995a 0661 cef2 0be7 610e 31e6 c2d7 1fec 8d64 926c 2a2a fbbb 777b e430 f6b2 5cda 5674 07cd 4c58 a3ff c625 6953 </source >

This was tested by attempting to modify the kernel (failure to boot), or by replacing a retail kernel with a test one (it fails, bad keys)

Retrieved from "http://www.Exploitee.rs/index.php?title=Startup&oldid=598"